[Snort-users] Creating Your Own Snort Rule?

waldo kitty wkitty42 at ...14940...
Tue Mar 12 18:16:36 EDT 2013

i have got to get my sig mess figured out... i don't provide private support... 
IM(H)O everything should go thru the list unless the data is too private to be 
dispersed... reply-to set to snort-users...

see inline for the rest of my reply...

On 3/12/2013 12:58, Jeremy Golden wrote:
> Awesome. So I got the outbound one alerting when I download a .exe file from the Internet, but how would I go about getting the inbound to alert? I thought maybe carrying a .exe file from a USB would trigger it but it didn't. Maybe Im not understanding 'inbound'.

actually, outbound is outward from your network to the rest of the world... 
inbound from the rest of the world into your network...

the simple content of ".exe" won't catch binary exe files... it might but it 
will also alert on irc or email or web pages with .exe in them... binaries are a 
lot more involved and TBH are pretty much already handled in the existing rules 
sets available...

files carried on a USB stick won't set off snort because it doesn't scan USB 
sticks like an anti-virus might... the data has to actually travel over the 
network wire being monitored...

> Thanks
> On Mar 12, 2013, at 1:14 PM, waldo kitty<wkitty42 at ...14940...>  wrote:
>> On 3/12/2013 11:28, Jeremy Golden wrote:
>>> Does anyone have a good rule they've created on their own? I need to make my own rule, but I want it to be simple, yet effective.
>>> For example, maybe a rule that alerts when an .exe file is being downloaded. Nothing too intense, but simple to understand.
>>> Any examples would be great.
>> i just posted some extremely simple ones that catch everything... however, they
>> make a decent starting point, too...
>> for example:
>> alert icmp $EXTERNAL_NET any ->  $HOME_NET any (msg:"icmp traffic inbound";
>> sid:1; rev:1;)
>> we'll change this to catch /any/ mention of ".exe" in /tcp/ traffic...
>> alert tcp $EXTERNAL_NET any ->  $HOME_NET any (msg:".exe mentioned in tcp traffic
>> inbound"; content;".exe"; sid:x; rev:1;)
>> alert tcp $HOME_NET any ->  $EXTERNAL_NET any (msg:".exe mentioned in tcp traffic
>> outbound"; content;".exe"; sid:x; rev:1;)
>> there's two... one for inbound and one for outbound...
>> 1. we changed the protocol from "icmp" to "tcp".
>> 2. we adjusted the msg text that is used.
>> 3. we added a content field to look for.
>> 4. only ".exe" is looked for... ".EXE" or ".Exe" or ".eXe" or such will not trigger.
>> 5. you have to set the SID number to a unique number for your rules sets... the
>> revision should be incremented each time you make a (major?) change in the rule.
>> now, the above does not look for an actual executable file... it only looks for
>> the four characters .exe all together... looking for actual binaries is a little
>> bit tougher to do but the concept is still the same... you look for content...
>> there are various buffers you can look in... you can go case insensitive... you
>> can refine for specific examples via pcre...

More information about the Snort-users mailing list